PSExec Attrib commands | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use Attrib commands to gather file attribute information across multiple drives as part of reconnaissance before deploying Macaw ransomware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential pre-attack reconnaissance activities and mitigate the risk of ransomware deployment.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessParentFileName endswith "PSEXESVC.exe" 
| where InitiatingProcessCommandLine has ".bat" 
| where FileName =~ "cmd.exe" and ProcessCommandLine has_all("-s", "-h", "-r", "-a", "*.*") 
| take 100

Analytic Rule Definition

id: 28f56c18-a66e-4c51-94f6-3c8902cb58af
name: PSExec Attrib commands
description: |
  Prior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Discovery
- Ransomware
query: |
  DeviceProcessEvents 
  | where InitiatingProcessParentFileName endswith "PSEXESVC.exe" 
  | where InitiatingProcessCommandLine has ".bat" 
  | where FileName =~ "cmd.exe" and ProcessCommandLine has_all("-s", "-h", "-r", "-a", "*.*") 
  | take 100

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Discovery
Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/PSExec Attrib commands.yaml)

False Positive Guidance

Scenario: System Maintenance Task Using Attrib
Description: A system administrator runs the attrib command as part of a routine disk cleanup or file attribute verification task.
Filter/Exclusion: process.parent_process == "Task Scheduler" or process.command_line contains "clean" or "maintenance"
Scenario: Scheduled Job for File Integrity Monitoring
Description: A security tool or script runs attrib to check file attributes as part of a file integrity monitoring (FIM) process.
Filter/Exclusion: process.command_line contains "fim" or "integrity" or "check" or "monitor"
Scenario: Admin User Performing File Attribute Check
Description: A privileged user (e.g., Administrator) uses attrib to inspect file attributes during troubleshooting or auditing.
Filter/Exclusion: process.user == "Administrator" or process.command_line contains "audit" or "troubleshoot"
Scenario: PowerShell Script Using Attrib for Automation
Description: A legitimate PowerShell script uses attrib to modify or check file attributes as part of an automation workflow.
Filter/Exclusion: process.parent_process == "powershell.exe" and process.command_line contains "script" or "automation"
Scenario: Backup Tool Using Attrib for File Attributes
Description: A backup or archive tool (e.g., Robocopy, rsync, or Veeam) uses attrib to preserve or verify file attributes during data transfer.
Filter/Exclusion: process.command_line contains "backup" or "archive" or "robocopy" or "rsync"